Hackers are going to great lengths, including mimicking real people and creating and updating fake social media profiles, to trick victims into clicking phishing links and handing over usernames and passwords.
The end goal of the phishing attacks is to dupe the victim into clicking malicious links that direct to fake, but realistic-looking, login pages, where the victim will enter their login credentials, providing the attackers with access to their account, which hackers abuse directly or use to gain access to other victims.
Many of the malicious links are designed to look like commonly used cloud software and collaboration tools, including OneDrive, Google Drive, and other file-sharing platforms. In one case, the attackers even set up a Zoom call with the victim then sent a malicious URL in the chat bar during the call. They’ve also created multiple characters in the phishing thread (all controlled by the attackers) to add the appearance of legitimacy.
The first stage of the spear-phishing attacks is research and preparation, with the attackers using publicly available profiles, such as social media and networking platforms, to find out as much as possible about the targets, including their real-world professional and personal contacts.
It’s also common for the attackers to set up fake social media and networking profiles based on real people to help make the approaches look convincing, while some of the approaches are designed to look like they’re related to real events, but are false.
According to NCSC, the campaigns are the work of cyberattackers based in Russia and Iran. The Russian and Iranian campaigns aren’t related, but the tactics overlap because they’re effective at tricking people into falling victim to phishing attacks. No matter who the attackers are impersonating, or what lure they’re using, one feature common to many of the spear-phishing campaigns is how they target personal email addresses.
Another key technique behind these phishing campaigns is patience by the attackers, who take time to build a rapport with their targets. These attackers don’t immediately dive in, asking their target to click a malicious link or open a malicious attachment. Instead, they build up trust slowly.
This process usually begins with a first email that looks benign, often related to a topic that — thanks to meticulous preparation — has a high chance of being interesting and engaging to their target.
The attackers will then send emails back and forth with their target, sometimes for an extended period, waiting until they’ve built up the level of trust required for the victim to have no qualms about opening a link or an attachment.
The malicious link will be sent under the guise of a document or a website that is interesting and relevant to the victim — for example, a conference invite or agenda — which redirects the victim to a server controlled by the attacker.
When the victim enters their username and password to access the malicious link, these details are sent to the attackers, who can now exploit the victim’s emails and additional accounts.
According to NCSC, this exploitation includes stealing information and files from accounts, as well as monitoring future emails and attachments the victim sends and receives.
The attackers have also used access to a victim’s email account to enter mailing-list data and contacts lists, which is information that is then exploited for follow-on campaigns, with the attackers using the compromised email address to conduct further phishing attacks against others.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems,” said Paul Chichester, NCSC director of operations.
“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online,” he added.
NCSC warns users to be vigilant and on the lookout for techniques detailed in the alert, such as emails purporting to be related to professional circumstances, which are sent to personal email addresses.
It’s recommended that you use a strong password to secure your email account, one which is separate to passwords for any of your other accounts, so that in the event of attackers somehow managing to steal your email password, they can’t use it to gain access to your other accounts.
Another way to help protect your account against phishing attacks is to turn on multi-factor authentication, which can prevent hackers from accessing your account, even if they know your password, as well as providing you with a warning that your credentials might have been compromised.
An odd new phishing scam is using blank images to scam users – and you may not even realize it, experts have claimed.
The format, which researchers at email security company Avanan (opens in new tab) describe as ‘blank image’, consists of threat actors embedding empty .svg files encoded with Base64 inside HTML attachments, which allows them to avoid URL redirect detection.
In this case, esignature platform DocuSign is the targeted host, with scammers sending out a seemingly legitimate DocuSign email containing an HTML attachment that when clicked on, opens up what appears to be a blank image.
Blank image scam
The catch, though, is that Javacript has been found within the image that leads users to a malicious URL in a method rarely seen up until now. For this reason, may security services will typically fail to detect the threat.
DocuSign is trusted by many businesses, so it’s hard to believe that it could now be scamming employees and consumers, however we’ve reported several cases of scamming on the platform.
Avanan said: “This attack builds upon the wave of HTML attachment attacks that we’ve recently observed targeting our customers, whether they be SMBs or enterprises.”
“By layering obfuscation upon obfuscation, most security services are helpless against these attacks.”
For end users, Avanan suggests being wary of emails that contain HTML (.htm) attachments. Companies can protect their workers even further by implementing a block on emails that contain such files, treating them just like any other executable (like .exe files).
TechRadar Pro has asked DocuSign whether it is taking any steps against the scam, however imitation attacks like this are rarely preventable.
Technological advancements are shaping the future of fintech and cybersecurity.
The volume of digital money transfers is projected to grow past 300,000 million in 2026 – 50% more than current figures in 2022. As digital operations continue to expand, the development of adequate and cost-effective cybersecurity protection, risk mitigation and regulatory compliance become increasingly important to companies of all sizes, across all industries.
As cyberthreats become more sophisticated and companies become more complex in structure and needs, collaboration is needed to ensure that processes are streamlined across all levels of any given organisation.
Being proactive and reactive
In an ideal world, adequate cybersecurity protection would be enough to prevent any and all cyberattacks from taking place. But in reality, you can’t expect to be totally immune from all cyber risks, so a robust cyber security strategy has to include managing breaches as well as preventing them.
In the last 12 months alone, 39% of UK businesses identified a cyberattack, amounting to an average cost of £4,200 for small businesses, and up to £19,400 for medium and large businesses. Hence, companies must not only invest in cyberattack prevention, but also adopt effective reactive measures to respond to these threats, should they arrive.
To protect a business across all levels, companies must install effective security controls such as, endpoint and border protection, cloud data capabilities, and data privacy regulations.
Businesses in the fintech space are particularly sensitive to cyber risks. As many have to handle large banking networks while maintaining the accounts of thousands, if not millions of users, in real time, and across continents. For this reason, establishing specialised controls in your technological infrastructure and digital services, ensures that risks can be identified and managed as quickly as possible.
In cybersecurity, every minute counts – as much as it is important to prevent attacks from happening, the key is to quickly detect and remedy them when they do.
The importance of collaboration
The CISO has a vital role within companies, and one which is currently evolving. Beyond technical knowledge, one of the most important aspects of the CISO’s role in an enterprise is collaboration.
Information, security and data protection controls permeates all levels and departments of a company, not just limited to tech. As such, it is important to relay technical information succinctly to all relevant directors and parties, ensuring all teams are adequately equipped to manage cyber risks.
There is a wide range of cybersecurity services that can be adopted. This includes perimeter and cloud security, device security, network security, threat hunting, DevSecOps, and web and mobile application security. To make them all function, and operate as tightly as possible, you must work with a team of experts, to ensure that your company is at the forefront of new advances in cybersecurity.
The removal of silos is therefore integral to ensuring companies are prepared and equipped to defend themselves against cyber-attacks.
What’s next?
From a regulatory standpoint, we look forward to the adoption of the European Union’s Digital Operational Resilience Act (DORA), expected in 2023. This is intended to target financial institutions and critical service providers, providing a new framework for digital operations which can be expected to change the game globally, much like the General Data Protection Regulation (GDPR) did. Hence, now is the time for companies to undergo an internal readiness assessment, identifying business areas where greater efficiency protocols can be implemented, ahead of the rolling out of this document.
Moreover, in the year ahead we will see cybersecurity developments in process automation – a cost-effective way of ensuring security is enhanced. With the number of risks and threats to be processed and managed constantly increasing, automation will increasingly be implemented to ensure that human expertise is applied strategically in areas that cannot do without.
However, with all these developments and changes on the horizon, one thing remains, cybersecurity teams must work collaboratively with all facets of the business to ensure the organisation and its customers are best protected.
About the Author
Eric Schifflers is Ria Money Transfer’s CISO. Ria Money Transfer, a business segment of Euronet Worldwide, Inc. (NASDAQ: EEFT), delivers innovative financial services including fast, secure, and affordable global money transfers to millions of customers along with currency exchange, mobile top-up, bill payment and check cashing services, offering a reliable omnichannel experience. The company is steadfast in its commitment to serve its customers and the communities in which they live, opening ways for a better everyday life.
